tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Servlet 3.0 File Upload
Date Mon, 05 Sep 2011 08:22:15 GMT
This must be about the worst advice I have ever seen.
What about someone typing e.g. "/etc/passwd" in that text box?

If you allow people to upload files to your server, you should create your own location 
and naming scheme for the uploaded files.  You should not even use the original filename,

unless you are dying to experience all the silly things that people can think of in terms

of filenames (with spaces in them, or characters that are valid on one platform but not 
another, or characters in various character sets and so on.)

Jonathan Soons wrote:
> You need to add a line in in your form:
> <input type="text" name="filename" />
> Then in your servlet GetPost() method you put this filename in a variable:
> String filename;
> filename = req.getParameter("filename");
> Then instead of part.write("samplefile");
> do:
> part.write(filename);
> Jonathan Soons
> ________________________________________
> From: Ole Ersoy []
> Sent: Friday, September 02, 2011 6:50 PM
> To: Tomcat Users List
> Subject: Servlet 3.0 File Upload
> Hi,
> I have a working file upload servlet, with the exception that it calls the uploaded file
"samplefile" instead of using the name of the file.  So if I upload different files, they
all overwrite each other.  Any ideas on how to fix this?  I used this tutorial to get it working:
> TIA,
> - Ole
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message